irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
6349c3aa8eabcec89abaa0e4108b8b63320c7c44
docker_file_analysis/data/generated/wiki/workflows/unpacking-workflow.md
T
tobias e62a14dafc Add markdown wiki with 473 pages and zk browser 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00

2.4 KiB
Raw Blame History

Unpacking Packed Executables

Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques.

FOR610 Labs: 4.1, 4.2, 4.3, 5.3, 5.8, 5.10

Steps

Step 1: Packing Identification

Tools: tools/diec, tools/peframe

Identify packer: DIE detects UPX, ASPack, PECompact, Themida, etc. Check entropy (>7.0 suggests packing). Look for: few imports, unusual section names (.UPX, .packed).

diec specimen.exe
peframe specimen.exe

Step 2: Automated Unpacking

Tools: tools/upx, tools/de4dot

Try known unpackers first. UPX: upx -d . .NET: de4dot . If automated unpacking fails (modified packer), proceed to manual.

upx -d packed.exe
de4dot obfuscated.exe

Step 3: Emulation-Based Unpacking

Tools: tools/speakeasy, tools/qiling

Emulate execution to let the unpacker run. Speakeasy and Qiling can trace API calls during unpacking without a debugger. Look for VirtualAlloc followed by memcpy patterns.

speakeasy -t specimen.exe -o report.json 2> report.txt
python3 -c "from qiling import Qiling; ql = Qiling(['<sample>'], '/path/to/rootfs')"

Step 4: Debugger-Based Unpacking [W]

Tools: tools/x64dbg, tools/x32dbg

Set breakpoints on: VirtualAlloc/VirtualProtect (memory allocation), tail JMP to OEP (end of unpacker), or stack breakpoint (ESP trick). Step to OEP.

Step 5: Anti-Debug Bypass [W]

Tools: tools/scyllahide

If malware detects debugger: enable ScyllaHide. Handles IsDebuggerPresent, NtQueryInformationProcess, timing checks.

Step 6: Memory Dumping [W]

Tools: tools/ollydumpex, tools/scylla

At OEP: dump process with OllyDumpEx. Fix IAT with Scylla (IAT Autosearch → Get Imports → Fix Dump).

Step 7: PE Fixup [W]

Tools: tools/pe-unmapper

If dump has virtual alignment: pe_unmapper /in /base 400000 /out . Only needed if sections have wrong raw sizes.

Step 8: Verification

Tools: tools/strings, tools/peframe, tools/capa

Verify: strings are now visible, imports are reasonable, capa detects capabilities. If good, route to Static Analysis Workflow for full analysis.

strings binary.exe
peframe specimen.exe
capa specimen.exe

#unpacking #packing #iat #memory-dump #oep #workflow

Reference in New Issue View Git Blame Copy Permalink